News, news analysis, and commentary on the latest trends in cybersecurity technology.

What Kind Of Security Tools Should I Provide My Developers?

Who says developers don't care about security? Give them the tools to help them build security into their code.

Casey Bisson, Head of Product and Developer Relations, BluBracket

March 16, 2022

2 Min Read
A laptop with a pen on it and source code on the screen.
Source: Aleks P. via Adobe Stock Photo

Question What kind of security tools should I provide my developers?

Casey Bisson, Head of Product and Developer Relations, BluBracket: There’s a belief that developers don’t care about security. Nothing could be further from the truth.

Developers are passionate about building great solutions, and security is emphatically part of a job well done. But if developers are forced to use tools or navigate a policy that blocks progress, they’ll engineer a way around those tools or policies.

Companies can choose between tools that help developers work effectively and securely, or tools they have to work around. It has never been more critical to empower developers with tools that promote security instead of those that ultimately detract.

Use pre-commit hooks to enforce conventional commit messages.

Commit messages are an afterthought for many developers, but the conventional commit format helps break the writer’s block that sometimes hits us when trying to describe what the commit does.

Commit messages are the first thing we see when going through code history to understand why something was changed and what the intent was. When another developer has to go spelunking in code to dig into a bug—or especially a security issue—conventional commits can help make sense of the noise and make it easier to identify anything questionable.

Use pre-commit hooks to scan for secrets and other code risks before they get into code.

A secret in code is a secret told. Blocking secrets at the source is one of the most important steps developers can take to improve security.

Sign your commits.

...and enforce signed commits using branch protection rules. Signed commits are the start of a secure code supply chain.

Automate your security.

We’ve long been using automated testing in the CI process to give developers immediate feedback on every commit/PR and end the “it works on my machine” problem. Automated security testing in that flow drives the same improvements for security: giving developers guidance about security risks before they get deployed is the best way to improve security with every commit.

About the Author(s)

Casey Bisson

Head of Product and Developer Relations, BluBracket

Casey Bisson has over 15 years of experience as an engineering and product leader in consumer and B2B SaaS, including hyperscale public cloud IaaS, where he helped drive a DevOps revolution for container infrastructure and continuous delivery. Casey has worked with open source communities throughout his career and demonstrated continued focus on making tools and systems usable.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights